MuSig2 support (experimental): added a mechanism to ensure that the BIP327 encrypted secnonce cannot be reused.

This implementation has been validated against the relevant BIP327 test vectors.

Overview of MuSig2 Smartcard Implementation

Given the resource limitations of smartcards (no display/button and constrained memory), we’ve implemented a partial
version of the BIP327 specification,
specifically the following algorithms that involve the private key:

• Nonce generation: NonceGen(sk, pk, aggpk, m, extra_in)
• Partial signing: Sign(secnonce, sk, session_ctx)

NonceGen:

• The private key (sk) is derived from a seed imported onto the card during setup.
• The card uses the internal sk, along with wallet-provided data (pk, aggpk, 32-byte m, and 32-byte extra_in) and 32 bytes of internal randomness to generate the pubnonce and secnonce.
• The pubnonce is returned to the wallet, and the secnonce is encrypted using a random 16-byte key only known to the card.
• Exporting the encrypted secnonce avoids having to store it in card memory, enabling multiple parallel NonceGen() sessions.

Sign:

• The wallet sends back the encrypted secnonce and session context data to the card.
• The card decrypts the secnonce, verifies it matches the expected public key, and performs the signing operation using its internal private key.
• The final output is the 32-byte psig.

Due to limited card resources, some session context data is preprocessed externally by the wallet. The card requires the following inputs (as per BIP327 notation):

• b (32 bytes)
• e*a mod n (32 bytes)
• has_even_y(R) (1 byte)
• g*gacc (1 byte)

Note: The smartcard performs blind signing, so limited checks are possible on the session context data. The card internally computes:
psig = (k1 + b*k2 + e*a*d) mod n.

secnonce reuse check

This is implemented using a 2-byte counter starting from 1.
This counter is increment during each GenerateSecnonce() execution.
A unique id based on this counter is saved in the encrypted secnonce that is exported, and also stored in the chip in a list of valid ids.

During Musig2SignHash(), the id recovered from the decrypted secnonce is checked against the locally-stored list of valid ids.
If the id is found, the secnonce is considered valid and the id is removed from the list of valid ids to ensure it cannot be reused.
If the id is not found, the secnonce is considered invalid and an error is thrown.

MuSig2 support (experimental)

Overview of MuSig2 Smartcard Implementation

Given the resource limitations of smartcards (no display/button and constrained memory), we’ve implemented a partial
version of the BIP327 specification,
specifically the following algorithms that involve the private key:

• Nonce generation: NonceGen(sk, pk, aggpk, m, extra_in)
• Partial signing: Sign(secnonce, sk, session_ctx)

NonceGen:

• The private key (sk) is derived from a seed imported onto the card during setup.
• The card uses the internal sk, along with wallet-provided data (pk, aggpk, 32-byte m, and 32-byte extra_in) and 32 bytes of internal randomness to generate the pubnonce and secnonce.
• The pubnonce is returned to the wallet, and the secnonce is encrypted using a random 16-byte key only known to the card.
• Exporting the encrypted secnonce avoids having to store it in card memory, enabling multiple parallel NonceGen() sessions.

Sign:

• The wallet sends back the encrypted secnonce and session context data to the card.
• The card decrypts the secnonce, verifies it matches the expected public key, and performs the signing operation using its internal private key.
• The final output is the 32-byte psig.

Due to limited card resources, some session context data is preprocessed externally by the wallet. The card requires the following inputs (as per BIP327 notation):

• b (32 bytes)
• e*a mod n (32 bytes)
• has_even_y(R) (1 byte)
• g*gacc (1 byte)

Note: The smartcard performs blind signing, so limited checks are possible on the session context data. The card internally computes:
psig = (k1 + b*k2 + e*a*d) mod n.

This implementation has been validated against the relevant BIP327 test vectors.

Satochip-applet v0.14-0.2: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip or Sparrow-Satochip or Uniblow-Satochip). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store (iOS app coming soon).

Compared to v0.12, v0.14 adds the following functionalities:

• Schnorr signature support for Taproot (to be used with Sparrow-Satochip wallet)
• Schnorr signature support for Nostr (no key tweaking)
• This is a beta release

Schnorr signatures can be tested using pysatochip v0.15.3 command line interface:

• Import a private key on slot #0:

python3 satochip_cli.py --verbose satochip-import-privkey --keyslot 0 --privkey aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899

• Get the corresponding publick key:

python3 satochip_cli.py satochip-get-pubkey-from-keyslot --keyslot 0

• Sign a hash with Schnorr on this slot:

python3 satochip_cli.py satochip-sign-schnorr-hash --hash 796962c8f2a7b8540f818cbe37d2894b1ab4b71bccddced12e2a4dc11d8802c3 --keyslot 0

Note on backward compatibility: v0.14 is backward compatible with client supporting the v0.12 applet since only the Schnorr signature functionality is added.

Note for developers:
It is recommended to test the software on the Bitcoin testnet (e.g. using electrum.exe -v --testnet or ./sparrow --level DEBUG --network testnet).
Regarding hardware support: only cards with MessageDigest.ALG_SHA_512 and ALG_EC_SVDP_DH_PLAIN_XY are supported!

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Satochip-applet v0.14-0.1: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip or Sparrow-Satochip or Uniblow-Satochip). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store (iOS app coming soon).

Compared to v0.12, v0.14 adds the following functionalities:

• Schnorr signature support for Taproot (to be used with Sparrow-Satochip wallet)
• This is a beta release

Note on backward compatibility: v0.14 is backward compatible with client supporting the v0.12 applet since only the Schnorr signature functionality is added.

Note for developers:

It is recommended to test the software on the Bitcoin testnet (e.g. using electrum.exe -v --testnet or ./sparrow --level DEBUG --network testnet).
Regarding hardware support: only cards with MessageDigest.ALG_SHA_512 and ALG_EC_SVDP_DH_PLAIN_XY are supported!

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Satochip-applet v0.12-0.5: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip or Metamask-Satochip or MyEtherWallet-Satochip wallet). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store.

Compared to v0.11, v0.12 adds the following functionalities:

• Card label
• Support for encrypted seed import from a SeedKeeper
• 2FA can be disabled using reset2FAKey() without reseting the seed
• Reset to factory support (using the FactoryResetTool application)
• Support for personalisation PKI: allows to verify card authenticity based on a device certificate & PKI

Note on backward compatibility: v0.12 should be mostly backward compatible with client supporting the v0.11 applet, except during seed import: in v0.12, the authentikey is fixed (generated once during applet install), while in v0.11, authentikey was HMAC-derived from seed. In pysatochip v0.11.x, authentikey was checked after import: this check will fail with v0.12 and you may need to restart the client.

Note for developers:

• It is recommended to test the software on the Bitcoin/Ethereum testnet (e.g. using electrum.exe -v --testnet).
• Regarding hardware support: only cards with MessageDigest.ALG_SHA_512 and ALG_EC_SVDP_DH_PLAIN_XY are supported!

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Satochip-applet v0.11-0.1: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip or MyCrypto-Satochip gui wallet application). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store.

Compared to v0.10-0.4, v0.11 adds mandatory Secure Channel support, meaning that communication between the card and the client is encrypted and authenticated. Secure channel is based on ECDH key agreement.

Note for developers:

• It is recommended to test the software on the Bitcoin/Ethereum testnet (e.g. using electrum.exe -v --testnet).
• Regarding hardware support: only cards with MessageDigest.ALG_SHA_512 and ALG_EC_SVDP_DH_PLAIN_XY are supported!

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Satochip-applet v0.10-0.4: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip or MyCrypto-Satochip gui wallet application). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store.

Compared to v0.9, this version supports signing custom tx hash directly, e.g. for Ethereum tx (since it uses SHA3 hash which is not supported natively by javacards). Compared to v0.10-0.1, the code has been optimized to support native SHA512 and EC pubkey recovery (ALG_EC_SVDP_DH_PLAIN_XY). The code has also been cleaned with old java code for SHA512 and legacy pubkey recovery (ALG_EC_SVDP_DH_PLAIN) removed. Consequently, ONLY CARDS with MessageDigest.ALG_SHA_512 and ALG_EC_SVDP_DH_PLAIN_XY are supported!

Note for developers:

• It is recommended to test the software on the Bitcoin/Ethereum testnet (e.g. using electrum.exe -v --testnet).
• Regarding hardware support: only cards with MessageDigest.ALG_SHA_512 and ALG_EC_SVDP_DH_PLAIN_XY are supported!

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Satochip-applet v0.10-0.1: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip or MyCrypto-Satochip gui wallet application). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store. Compared to v0.9, this version supports signing custom tx hash directly, e.g. for Ethereum tx (since it uses SHA3 hash which is not supported natively by javacards).

The Satochip-applet is currently in Beta, so use with caution! In this phase, it is recommended to use the software on the Bitcoin/Ethereum testnet (e.g. using electrum.exe -v --testnet). This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Satochip-applet v0.9-0.1: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip gui wallet application). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store. Compared to v0.8, this version is a patch to allow correct message signing for Litecoin and other altcoin with the custom format.

The Satochip-applet is currently in Beta, so use with caution! In this phase, it is recommended to use the software on the Bitcoin testnet (using electrum.exe -v --testnet). This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Satochip-applet v0.8-0.1: javacard applet for the Satochip hw wallet (to be used with the electrum-satochip gui wallet application). If 2-Factor-Authentication (2FA) is enabled, the Satochip-2FA app should be installed from the Android App Store. Compared to v0.7, this version has improved 2FA management:

• in addition to transactions, 2FA is now required to sign messages, import eckey and reset seed/eckey/2FA.
• 2FA can only be disabled when the seed and all private keys are cleared.

The Satochip-applet is currently in Beta, so use with caution! In this phase, it is recommended to use the software on the Bitcoin testnet only (using electrum.exe -v --testnet). This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.